After enabling an Application Control rule which logs writing to USB drives one or more of the entries below are logged in the Control log on the endpoint.
When a user copies a file to a removable USB device, File Size lists 0 Bytes.
When the same file is copied to a removable drive, the Control log File Size shows the actual size of the file.
If a file Copy is blocked by the Application Control policy to the USB device, the Control Log will show two entries: "File write blocked" and "File delete blocked"
If a File Delete or File Update (rather than Copy) is blocked by the Application Control policy to the USB device, the Control log will only show "File write blocked"
This is by design based on the way Endpoint Protection (SEP) Application Control rules were implemented and is documented in the in-product Help titled "Application and Device Control logs and quick reports".
Imported Document ID: TECH167002
Subscribing will provide email updates when this Article is updated. Login is required.